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(54) Network access authentication system 

(57) A network access authentication system 
including a directory service containing a remote 
access password and a standard access password for 
each user of the network, using an authentication proto- 
col that provides information on whether a user is 
accessing the network locally or remotely, and including 
a front-end between the directory service and the 
authentication protocol. The front-end executes the 
steps of: 

receiving a user identifier and a user password 
entered by a user through said authentication pro- 



tocol; 

retrieving from the directory service the remote 
access password and the standard access pass- 
word corresponding to the user identifier; 
if the authentication protocol indicates a remote 
access, comparing the user password to the 
remote access password, else comparing the user 
password to the standard access password; and 
granting access to the network if the comparing 
step is successful. 
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tion with the directory service using the directory serv- 
ice protocol, LDAP in the preferred embodiment. 
Moreover, the front-end behaves as the server for the 
clients using the corresponding authentication protocol. 
As shown, a NAS (network access server) 16 runs a 
RADIUS client which will exchange authentication infor- 
mation with the corresponding front-end 22 by using the 
RADIUS protocol. Remote clients connect to the NAS 
16 using, for example, the Point-to-Point Protocol 
(PPP). 

[0030] The front-ends 22 are, in a preferred embodi- 
ment, implemented within the computer 20 hosting the 
directory service. They can however be implemented in 
other computers connected to the network. 
[0031 ] The directory is maintained by an administrator 
using a conventional LDAP client (shown in Figure 1). 
[0032] When a remote user wishes to access the net- 
work, he provides a user identifier X User Id and a pass- 
word XPassWd. This information is passed to the 
RADIUS client application which conventionally carries 
out a RADIUS authentication transaction with the avail- 
able RADIUS server, i.e. the RADIUS front-end accord- 
ing to the invention. 

[0033] According to the RADIUS protocol, like for 
other high-level protocols such as TACACS and LDAP, 
information is exchanged in the form of attributes. Each 
attribute has a unique attribute identifier and an attribute 
value. 

[0034] During the RADIUS authentication transaction, 
the client will in particular pass to the RADIUS server 
the attributes "User -Name" with the value XUserld (the 
user identifier entered by the remote user), the attribute 
"Password" with the value XPassWd (the password 
entered by the remote user), and the attribute "Framed- 
Protocol" with a value indicating if a remote access pro- 
tocol is used and if so, which one (in this case PPP). In 
practice, the password XPassWd will be encrypted on 
the PPP link and decrypted by the NAS 16. The 
RADIUS client will again encrypt the password conform- 
ing to the RADIUS specifications. 
[0035] The RADIUS server needs to compare the user 
identifier and the password with predefined values 
which, in a conventional system; are stored in a dedi- 
cated file. According to the invention, the front-end's 
RADIUS server, instead of retrieving this data in a file, 
will make the front-end's LDAP client fetch it from the 
directory service 24. For this purpose, the front-end 
converts the required RADIUS attributes to LDAP 
attributes using an attribute mapping table 22-1. In par- 
ticular, the RADIUS attribute "User-Name" is mapped to 
the LDAP attribute "uid". The LDAP client then conven- 
tionally issues a request to the LDAP server for data 
associated to attribute "uid" having value XUserld (the 
user identifier). The LDAP server conventionally returns 
the requested attributes with their corresponding values 
stored in the directory. 

[0036] In figure 2, the requested attributes are, for 
example, "userPassword", which is a password to use 



for local or standard accesses, "PppPassWd" which is a 
password to use normally for remote accesses, and 
"PppProFile" which is a flag that indicates if the user 
should use his remote access password or not when 
5 using a remote access. Depending on the values of 
these attributes and those received from the RADIUS 
client, the front : end's RADIUS server will either deny or 
grant access to the network. 

[0037] Figure 3 shows an exemplary flow chart of the 
10 operations carried out by the RADIUS front-end of fig- 
ure 2 when a user wishes to access the network 
remotely. 

[0038] At 100, the front-end receives from the 
RADIUS client the attributes corresponding to the user 

15 identifier XUserld, the entered password XPassWd, and 
the type of the remote access protocol, PPP. The two 
first values are provided by the user, whereas the third 
value is provided by the RADIUS client which is aware 
of the type of remote access protocol used. 

20 [0039] At 102, the RADIUS attribute "User-Name" is 
mapped to the LDAP attribute "uid" with the user identi- 
fier value XUserld. An LDAP request is then issued to 
retrieve from the directory the attributes "userPass- 
word", "PppPassWd" and "PppProFile" from an entry 

25 corresponding to value XUserld for attribute "uid". 

[0040] At 104, if the LDAP server cannot satisfy the 
request because no entry corresponds to XUserld, the 
access to the network is denied at 106. Else, at 108. the 
value the "Framed-ProtocoT attribute is checked. 

30 [0041] If at 108 the "Framed-Protocol" attribute indi- 
cates a PPP access, it is checked whether the "PppPro- 
file" flag is zero at 114, The "PppProfile" flag is optional 
and allows the administrator to force a user either to 
always use the same password, i.e. the standard 

35 access password, whether he is accessing the network 
remotely or not. or to force the user to use different 
passwords depending on the access mode. 
[0042] If the "PppProfile" attribute is not zero at 1 14, 
the password XPassWd entered by the user is com- 

40 pared to the value of attribute "PppPassWd" at 1 16. If 
the comparison fails, access is denied at 106. Other- 
wise, access is granted at 1 12. 
[0043] If the "PppProfile" attribute is zero at 1 14, the 
password XPassWd entered by the user is compared at 

45 1 1 8 to the value of attribute "userPassword" returned by 
the LDAP server. If the comparison fails, access is 
denied at 106, whereas, if it is successful, access is 
granted at 112. 

[0044] If, at 108. the "Framed- Protocol" attribute does 
so not indicate a PPP access, the same steps as carried 
out for the PPP access mode from 114 are carried out 
at 120 for any other possible access mode identified by 
the "Framed-Protocol" attribute. For example, if another 
possible remote access mode is SLIP, an enable flag 
55 "SlipProfile" and a password attribute "SlipPassWd" 
may be set for the user in the directory. The values of 
these attributes are compared respectively to zero and 
to the password XPassWd at steps similar to steps 114 
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and 1 16. Access is then granted or denied at steps sim- 
ilar to 1 12 or 106 if the flag "SlipProfile" is non zero. 
[0045] If flag "SlipProfile" is zero or if no remote 
access mode is identified, the password XPassWd is 
compared to the value of attribute "userPassword" at 
1 18 before granting or denying access. 
[0046] It is apparent from the flowchart of figure 3 that 
an administrator may set at least two different pass- 
words rar a user in the direcloryrrne administrator may- 
force the user to use different passwords depending on 
the access mode (local or remote) and thus improve the 
security of the network. This feature may be overridden 
if the administrator sets the "PppProfile" attribute to 0. 
The user will then only use one password independently 
of the access mode, which may improve his comfort. 
[0047] Provided that the system according to the 
invention has a front-end for each authentication proto- 
col used on the network, it allows each user to have a 
single user identifier and a reduced number of pass- 
words usable for any access or service on the network 
needing an authentication. The security of the network 
is improved when the administrator forces the user to 
have two passwords, one for local accesses, the other 
for remote accesses. An advantage of the system is that 
different front-ends may share the same password 
(PppPassWd. SlipPassWd) for the same access mode 
(PPP, SLIP). 

[0048] User entries in the directory are customized for 
the needs of the invention, i.e. they have specific 
attributes which are not necessarily defined in existing 
directories. Directory service protocols, such as LDAP, 
are extensible in that an administrator may define new 
entry types in the directory, which entries may inherit 
attributes from pre-existing entry types or have newly 
defined attributes. 

[0049] With LDAP. each entry of the directory is an 
instance of an "object class*. An object class defines the 
attributes which must be used and the attributes which 
may be used in a corresponding entry. In this manner, 
new entry types may be added to the directory, trans- 
parently, provided that the LDAP client and the LDAP 
server both use the same object class definitions. An 
LDAP object class definition for user entries having the 
attributes exemplified above would be: 



TO 



15 



20 



25 



30 



35 



40 



45 



50 



55 



objectclass RemoteUser 

superior top 

requires 
uid 

allows 

userPas sword 

PppPassWd, 

PppProFile, 

SlipPassWd, 

SlipProfile, 



[0050] The statement "superior top" indicates that the 
object class inherits from the attributes of a previously 
defined object class "top". The statement "requires" is 
followed by a list of attributes that all the corresponding 
entries of the directory must have. The statement 
"allows" is followed by a list of attributes which are 
optional. 

[0051] An instance of this object class, i.e. a corre- 
sponding entry in the directory, could be defined as fol- 
lows: 

dn: uid = XUserld, I = ?, o = ?, c = ? 
objectclass = RemoteUser 
uid = XUserld 
userPassword = XPassWd 
PppPassword = XPassWd2 
PppProfile* 1. 

[0052] The statement "dn: H defines the "distinguished 
name" which is a unique identifier for the entry. This dis- 
tinguished name is defined so that the entries are 
organized hierarchically. For example, it defines the 
country "c". the organization "o". the location or city "I", 
and finally the user "uid". The statement "objectclass = 
RemoteUser identifies the object class to which the 
entry belongs. 

[0053] For ease of comprehension, only a limited 
number of attributes have been described, allowing a 
minimum authentication procedure. In practice, authen- 
tication procedures use more attributes, such as pass- 
word expiration dates, check information, encryption 
keys, information for logging and debugging purposes... 
Those skilled in the art will add such attributes to the 
entries and object classes of a directory service and 
build the corresponding mapping tables in the. front- 
ends for the various protocols which may be used for 
authentication. 
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aims 

A network access authentication system including: 4. 

a directory service (24) containing a remote 5 
access password and a standard access pass- 
word for each user of the network; 
an authentication protocol that provides infor- 
mation on whether a user is accessing the net- 
work locally or remotely; and io 
a front-end (22) between the directory service 
and the authentication protocol, for receiving a 5, 
user identifier and a user password entered by 
a user through said authentication protocol, 
retrieving from the directory service the remote is 
access password and the standard access 6. 
password corresponding to the user identifier, 
and granting access to the network when the 
authentication protocol indicates a remote 
access and the user password equals the 20 7. 
remote access password, or when the authen- 
tication protocol indicates a local access and 
the user password equals the standard access 
password. 

25 

A network access authentication system including: 

a directory service (24) containing a remote 
access password, a standard access pass- 
word, and a remote access password enable 30 
flag for each user of the network; 
an authentication protocol that provides infor- 
mation on whether a user is accessing the net- 
work locally or remotely; and 
a front-end (22) between the directory service 35 
and the authentication protocol for receiving a 
user identifier and a user password entered by 
a user through said authentication protocol, 
retrieving from the directory service the remote 
access password, the standard access pass- 40 
word, and the remote access password enable 
flag corresponding to the user identifier, and 8. 
granting access to the network if the authenti- 
cation protocol indicates a remote access, the 
remote access enable flag has an active state. 45 
and the user password equals the remote 
access password, else if the authentication 
protocol indicates a local access or the remote 
access enable flag has an inactive state, and 
the user password equals the standard access so 
password. 

The authentication system of claim 1 or 2, wherein 
the front-end is a client for a protocol used by the 
directory service and a server for the authentication 55 
protocol, and includes a protocol attribute transla- 
tion table for exchanging information between the 
authentication protocol and the directory service 



protocol. 

The authentication system of claim 1 or 2, wherein 
the directory service uses the Lightweight Directory 
Access Protocol (LDAP), whereby each entry in the 
directory service is an instance of a predefined 
object class defining attributes which are used by 
the entry, a specific object class being created for 
the network users, that defines the attributes nec- 
essary for authenticating the users. 

The authentication system of claim 1 or 2, wherein 
the front-end is an application executed on a com- 
puter hosting the directory service. 

The authentication system of claim 1 or 2, including 
several authentication protocols and one front-end 
for each authentication protocol. 

A network access authentication method using a 
directory service (24) containing a remote access 
password and a standard access password for 
each user of the network, including the steps of: 

receiving (100) a user identifier and a user 
password entered by a user through an authen- 
tication protocol that provides information on 
whether the user is accessing the network 
locally or remotely; 

retrieving (102) from the directory service the 
remote access password and the standard 
access password corresponding to the user 
identifier; 

if the authentication protocol indicates a remote 
access, comparing (116) the user password to 
the remote access password, else comparing 
(118) the user password to the standard 
access password; and 

granting access (112) to the network if the 
comparing step is successful. 

A network access authentication method using a 
directory service containing a remote access pass- 
word, a standard access password, and a remote 
access password enable flag for each user of the 
network, including the steps of: 

receiving (100) a user identifier and a user 
password entered by a user through an authen- 
tication protocol that provides information on 
whether the user is accessing the network 
locally or remotely; 

retrieving (102) from the directory service the 
remote access password, the standard access 
password, and the remote access password 
enable flag corresponding to the user identifier; 
if the authentication protocol indicates a remote 
access and the remote access enable flag has 
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an active state, comparing (1 16) the user pass- 
word to the remote access password, else 
comparing (118) the user password to the 
standard access password; and 
granting access (112) to the network if the s 
comparing step is successful. 

9. A network access authentication system including: 



service and a server for the authentication protocol, 
and which includes a protocol attribute translation 
table (22-1) for exchanging information between the 
authentication protocol and the directory service 
protocol. 



a directory service (24) containing a remote »o 
access password and a standard access pass- 
word for each user of the network; 
means (22) for receiving a user identifier and a 
user password entered by a user through an 
authentication protocol that provides informa- is 
tion on whether the user is accessing the net- 
work locally or remotely; 
means for retrieving from the directory service 
the remote access password and the standard 
access password corresponding to the user 20 
identifier; 

means for comparing the user password to the 
remote access password if the authentication 
protocol indicates a remote access, else the 
user password to the standard access pass- 25 
word; and 

means for granting access to the network if the 
means for comparing indicate an equality. 

1 0. A network access authentication system including: 30 

a directory service (24) containing a remote 
access password, a standard access pass- 
word, and a remote access password enable 
flag for each user of the network; 35 
means (22) for receiving a user identifier and a 
user password entered by a user through an 
authentication protocol that provides informa- 
tion on whether the user is accessing the net- 
work locally or remotely; ^ 
means for retrieving from the directory service 
the remote access password, the standard 
access password, and the remote access 
password enable flag corresponding to the 
user identifier; 41 
means for comparing the user password to the 
remote access password if the authentication 
protocol indicates a remote access and the 
remote access enable flag has an active state, 
else the user password to the standard access a 
password; and 

means for granting access to the network if the 
means for comparing indicate an equality. 

1 1 . The authentication system of claim 9 or 1 0. wherein s 
said means for receiving, retrieving, comparing and 
granting access are included in a front-end (22) 
which is a dient for a protocol used by the directory 
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